This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raymond_Bailey
Explorer
‎2021-02-10 09:32 AM

Cloudguard egress load balancing question

Hi, 

I am having difficulty understanding how traffic initiated from a VPC makes its way through Cloudguard to the Internet. My environment is Cloudguard IaaS in AWS, using Transit Gateway. Cloudguard is setup for auto-scaling and egress only, to provide outbound internet access to VPCs. We are running R80.40 on the gateways and the on-prem management server. The management station is reachable via AWS Direct Connect. With TGW we use BGP VPNs, etc. 

[Client VPC]---[TGW]---[Security VPC with Cloudguard ASG]-->[Internet]

The minimum number of gateways in the autoscaling group is 3, scalable to 6. Each gateway performs NAT using the private eth0 IP, but it is also occurring at the instance level with the public IP associated with eth0:1, which is seen on the Internet.

Observation:

These gateways are all independent. They don't share NAT IPs. Traffic passing through a gateway is NATed with a the unique public IP associated with eth0:1.

My question:

How can session stickiness be maintained for egress traffic through Cloudguard? We see a situation where a single host in the client VPC initiates two TCP connections to a single destination IP on the Internet. The server on the Internet expects these connections to all come from a single public IP. But the two sessions are being sent across different Cloudguard gateways, and therefore have different NAT IPs. The internet server rejects the second connection and the session breaks.  

I see articles from Checkpoint about ELBs, but they are always talking about ingress traffic from the Internet. What about egress? If this were a traditional setup with either a single firewall or ClusterXL load sharing and a hide NAT range for egress, stickiness would by based on the IP of the inside host. But here, each gateway is doing its own NAT independently. Is there a solution to this problem (other than asking the vendor to rewrite their app to use cookies or something to manage sessions)?

Ray  

 

0 Kudos
2 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-02-10 04:38 PM

The ECMP routing 5-tupple hash on the TGW is ultimately responsible for the outbound distribution of traffic in this case.

If you need elasticity / auto-scale capabilities the GWLB might be an option moving forward and leverages an upstream NAT gateway in some topologies to avoid similar issues.

You can read more about it here further to the relevant AWS documentation:

https://community.checkpoint.com/t5/Cloud-Network-Security-IaaS/AWS-Gateway-Load-Balancer/m-p/102356

CCSM R77/R80/ELITE
0 Kudos
Raymond_Bailey
Explorer
‎2021-02-20 07:01 AM
In response to Chris_Atkinson

Thank you Chris. It appears we should not have used Cloudguard in auto-scaling mode as an egress solution. Checkpoint's deployment guides (sk132552) don't actually depict ASGs for egress, but they don't discourage it either. In the on-prem world, I think it is reasonable to say that most Checkpoint firewall administrators would never setup multiple discrete firewalls (no clustering or state awareness between them) and spray connections across them with a 5-tupple hash, round-robin, or in any other random way. That is exactly what is happening here and there are applications that break as a result. We'll take a look look at the GWLB. Thanks again.

Ray    

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events